NYCC pushed promotions to attendees' social accounts... without permission.

New York Comic Con (NYCC) received many complaints Thursday and into Friday as attendees discovered that the event organizers had been tweeting from attendees’ accounts without their permission, according to Mashable. NYCC has since claimed that the process was opt-in, but its approach was perhaps a bit overeager.

NYCC stirred a bit of controversy going into its event by exclusively using RFID (radio-frequency ID) badges, which organizers said would smooth entrance to the conference and help crack down on fake badges. During the registration process, attendees had the opportunity to connect their social media accounts, including Facebook and Twitter, to their badges.

Apparently registration and use of those badges included an opt-in to allow NYCC to tweet from attendees’ accounts. Numerous requests by Ars via phone and e-mail to the organizers to obtain copies of either the opt-in dialogue or terms and conditions have not been returned, but the phrasing was apparently subtle or unclear enough that many attendees were shocked, annoyed, or disturbed to see the Con pushing posts to their accounts without their involvement.

The posts took the shape of a generic endorsement for the event—“I <3 NYCC!” was a common one—followed by a link to NYCC’s Facebook page. Third-party services often ask for permission to “tweet on a user’s behalf,” but that is generally taken to mean the service can forward a tweet either composed by the user or pre-composed by the service and reviewed by the user, not send a tweet without the user’s oversight or permission.

NYCC responded on its Twitter account, telling users, “do not fret if #NYCC-ID tweeted as you yesterday!” A representative passed Mashable a statement of intent and a non-apology: organizers have “since shut down this service completely and apologize for any perceived overstep.”

Promoted Comments

Did they ask for the password or not? That is the crux of the issue for me and none of the reports I read have said so one way or the other.

If they asked for the password, this conduct is merely poopyheaded. If they didn't, and found a way to twittertweet or whatever without consent, I would be royally pissed.

They wouldn't need the user's actual password. When you connect Twitter to a service on the Web, you go through Twitter's login page and authorize the third-party service to connect. The service can then tweet for you (usually with your permission).

Did they ask for the password or not? That is the crux of the issue for me and none of the reports I read have said so one way or the other.

If they asked for the password, this conduct is merely poopyheaded. If they didn't, and found a way to twittertweet or whatever without consent, I would be royally pissed.

They wouldn't need the user's actual password. When you connect Twitter to a service on the Web, you go through Twitter's login page and authorize the third-party service to connect. The service can then tweet for you (usually with your permission).

At some point though the user pressed a button that said 'Okay, I'll allow it!' correct?

I think the controversy is that they didn't explicitly say that they would tweet on one's behalf. Also, the tweets are designed to look like everyday speech, so unlike a game status update and whatnot, these tweets appear like they could plausibly come from the account holder.

Why on earth would I connect a social media account to a conbadge? What would that accomplish?

tweets sent from your account without permission.

2215 posts | registered Sep 27, 2011

Casey Johnston
Casey Johnston is the former Culture Editor at Ars Technica, and now does the occasional freelance story. She graduated from Columbia University with a degree in Applied Physics. Twitter@caseyjohnston

Well, we know the NYCC twitter account had “do not fret if #NYCC-ID tweeted as you yesterday!” posted to it. I suppose we can't be sure who actually sent the tweet, though.

Also, has NYCC "Shut down the service?" Or have they shut it down and destroyed all traces of the login authorization inofrmation so nobody is tempted to hack/sell the data and compromise attendees twitter accounts more maliciously?

Did they ask for the password or not? That is the crux of the issue for me and none of the reports I read have said so one way or the other.

If they asked for the password, this conduct is merely poopyheaded. If they didn't, and found a way to twittertweet or whatever without consent, I would be royally pissed.

They wouldn't need the user's actual password. When you connect Twitter to a service on the Web, you go through Twitter's login page and authorize the third-party service to connect. The service can then tweet for you (usually with your permission).

Why on earth would I connect a social media account to a conbadge? What would that accomplish?

tweets sent from your account without permission.

Well, no shit!

I mean why would I want to do this if asked to? There must be some feature offered to the attendee to make NYCC better somehow, right? Or are they really stupid enough to just throw it in their registration process and expect uses to blithely click next without looking, and then not get mad when tweets start happening?

Did they ask for the password or not? That is the crux of the issue for me and none of the reports I read have said so one way or the other.

If they asked for the password, this conduct is merely poopyheaded. If they didn't, and found a way to twittertweet or whatever without consent, I would be royally pissed.

They wouldn't need the user's actual password. When you connect Twitter to a service on the Web, you go through Twitter's login page and authorize the third-party service to connect. The service can then tweet for you (usually with your permission).

Did they ask for the password or not? That is the crux of the issue for me and none of the reports I read have said so one way or the other.

If they asked for the password, this conduct is merely poopyheaded. If they didn't, and found a way to twittertweet or whatever without consent, I would be royally pissed.

Nope, You know those terrible apps that ask to link to your facebook so they can post dumb things like "DerpySweatpants just earned 500 points on Pumpkin carver extreme!" on your wall? Its like that. Users would have had to log into a portal page to link the two accounts but that password should be inaccessible to the event organizers, they just get permissions to your feed / wall whatever to post while logged into their management accounts.

Did they ask for the password or not? That is the crux of the issue for me and none of the reports I read have said so one way or the other.

If they asked for the password, this conduct is merely poopyheaded. If they didn't, and found a way to twittertweet or whatever without consent, I would be royally pissed.

They wouldn't need the user's actual password. When you connect Twitter to a service on the Web, you go through Twitter's login page and authorize the third-party service to connect. The service can then tweet for you (usually with your permission).

At some point though the user pressed a button that said 'Okay, I'll allow it!' correct?

Ok here's part of the deal. When you registered a badge you have three options. Twitter, Facebook, or Provide a name and e-mail.

I don't like linking my Twitter or Facebook id to anything unless its an app i really want to use and its purpose is to post on twitter or facebook.

Its a stupid move. But the reality is I hope the organization does this and gives people the middle finger and makes people realize what can happen when they let 3rd parties use Twitter or Facebook as a login engine.

Why on earth would I connect a social media account to a conbadge? What would that accomplish?

Bump into someone on the con floor and then immediately have easy access to look them up on Twitter with minimal effort. Just a guess as I have no idea how they've set up the badges. That is one easy to see benefit from it though.

Did they ask for the password or not? That is the crux of the issue for me and none of the reports I read have said so one way or the other.

If they asked for the password, this conduct is merely poopyheaded. If they didn't, and found a way to twittertweet or whatever without consent, I would be royally pissed.

They wouldn't need the user's actual password. When you connect Twitter to a service on the Web, you go through Twitter's login page and authorize the third-party service to connect. The service can then tweet for you (usually with your permission).

I must be old, because I cannot even imagine why that is a thing.

It's kind of the same idea as keeping a list of "trusted" devices on an account that normally requires 2FA. Authorize it once, revoke as needed. Convenience. Or in this case, maybe some fringe benefit like a free beer or something.

Or did you mean certain people's unquenchable thirst for linking every possible online account together into one massive bolus of pointless drivel? Because I don't know that one. That's nobel prize material.

Did they ask for the password or not? That is the crux of the issue for me and none of the reports I read have said so one way or the other.

If they asked for the password, this conduct is merely poopyheaded. If they didn't, and found a way to twittertweet or whatever without consent, I would be royally pissed.

They wouldn't need the user's actual password. When you connect Twitter to a service on the Web, you go through Twitter's login page and authorize the third-party service to connect. The service can then tweet for you (usually with your permission).

At some point though the user pressed a button that said 'Okay, I'll allow it!' correct?

Why on earth would I connect a social media account to a conbadge? What would that accomplish?

Bump into someone on the con floor and then immediately have easy access to look them up on Twitter with minimal effort. Just a guess as I have no idea how they've set up the badges. That is one easy to see benefit from it though.

Oh but see that's kind of cool. And also completely possible without granting any access rights to said accounts. Just use an NFC writer app and give your attendees a text field to put a signature in.

And then laugh when some jerk sets his to that arabic string of nonsense that crashes apple products

Why on earth would I connect a social media account to a conbadge? What would that accomplish?

Nothing. This is akin to Legal Phone Slamming. You know back in the old days where you signed a piece of paper to join a contest sponsored by a phone company and the fine print reads. "You will use our service and we'll sign you up for it!" in a 2 point font?

Well this is sorta of like it. For the badge they were all serialized so if it was stolen technically is possible to shut down your old badge and issue a new one. An in order to verify yourself you had to register. So i guess hidden in there was some fine print text.

I mean most people that use twitter want to tell the world everything they are doing right

Did they ask for the password or not? That is the crux of the issue for me and none of the reports I read have said so one way or the other.

If they asked for the password, this conduct is merely poopyheaded. If they didn't, and found a way to twittertweet or whatever without consent, I would be royally pissed.

They wouldn't need the user's actual password. When you connect Twitter to a service on the Web, you go through Twitter's login page and authorize the third-party service to connect. The service can then tweet for you (usually with your permission).

At some point though the user pressed a button that said 'Okay, I'll allow it!' correct?

I think the controversy is that they didn't explicitly say that they would tweet on one's behalf. Also, the tweets are designed to look like everyday speech, so unlike a game status update and whatnot, these tweets appear like they could plausibly come from the account holder.

During the registration process, attendees had the opportunity to connect their social media accounts, including Facebook and Twitter, to their badges.

That was the attendee's problem to begin with that got hit with this. This is up there with opening a strange eMail and clicking a link that claims to be from your friend or Bank without checking first.

This is a thing because twitter has an API developers can use. Having you log directly into twitter provides a handshake that avoids you needing to give passwords out to any system you want to use for sending tweets.

Some developers use it for honest things like creating content management systems for your own website that will automatically also post links for you on twitter to newly posted articles so you don't need to do it manually.

Some developers work for rat bastard bosses who think that abusing their paying customers is a fantastic thing to do.

Yet another non-apology apology. These sort of a-holes always want to blame the victim. If you didn't want to have your twitter account abused you shouldn't have paid to come to our convention, stupid luser!

This is a thing because twitter has an API developers can use. Having you log directly into twitter provides a handshake that avoids you needing to give passwords out to any system you want to use for sending tweets.

Some developers use it for honest things like creating content management systems for your own website that will automatically also post links for you on twitter to newly posted articles so you don't need to do it manually.

Some developers work for rat bastard bosses who think that abusing their paying customers is a fantastic thing to do.

Honestly stuff like this reminds me why I want to see reform on Terms of Service. Who knows whats in those things half the time....especially when you can only read it on software products AFTER you purchase it but now you can't get a refund if you dont accept because its "used!"

I guess they just wanted to hype the show, but that really makes no sense since the show is completely sold out, and all the 3 and 4 days passes sold out quite a while ago.

I'd rather they did more promo work before the con to remind those of us not paying attention (*cough*) of when the show starts so we can get the passes we want and not get stuck with the 1 day Thursday pass. It was fun anyway, but still.

2 things that's more the Javitts center than NYCC - 1 - They need better ventiation in the main hall. They really need to call Bigassfans and get hooked up. 2- Coatcheck? What coatcheck?!?

Honestly, I thought they'd be doing more with the RFID's like PCExpo used to do (yeah, I'm old, hush now) with their barcode badges. You'd visit a booth/vendor/display you were interested in, scan, and be entered in contests and such or get info from the company, or just get counted as having stopped by. Vendors get an accurate count of traffic, you potentialy (if you opted in) get info about vendors you couldn't get a good look at because people kept taking pics with one or more of the 400 Deadpool cosplayers.

Oh, and if you are going and haven't gotten there yet, the entrance isn't @ 11th & 37th St. You can't actually go into the entrance area to get scanned at that point. The entrance is basically 11th ave between 38th and 39th Street, so it'a a complete wash if you get off the train @ 42nd or 34th street.

This is a thing because twitter has an API developers can use. Having you log directly into twitter provides a handshake that avoids you needing to give passwords out to any system you want to use for sending tweets.

Some developers use it for honest things like creating content management systems for your own website that will automatically also post links for you on twitter to newly posted articles so you don't need to do it manually.

Some developers work for rat bastard bosses who think that abusing their paying customers is a fantastic thing to do.

1. Acknowledge that people are upset.2. Communicate that you understand that people are upset, and you understand why. 3. Accept responsibility for the incident that upset them. 4. Express regret that you made a mistake.5. Promise to try to avoid making similar mistakes in the future (and mean it).6. If possible, take actual meaningful steps that will help you avoid making a similar mistake in the future.

How not to apologize:

1. Tell users not to fret.2. Express regret not over the actual incident that upset people, but for their perception of the incident.

Why on earth would I connect a social media account to a conbadge? What would that accomplish?

Bump into someone on the con floor and then immediately have easy access to look them up on Twitter with minimal effort. Just a guess as I have no idea how they've set up the badges. That is one easy to see benefit from it though.

In other words, it facilitates nerd hookups. This Is the core purpose of NYCC. They are doing God's work, really. Too bad some shitbrain in management decided to betray their mandate of getting nerds to couple in order to advertise something thy was going to be mentioned on their Twitter feed anyway...

The first time I ever had someone tweet from me I was shocked. More shocking was I couldn't see which service I'd authorized sent the tweet in question. Without an audit trail I simply shut down all third party access to my twitter account. I miss out on some cool integration, but without tighter access control, twitter is doing their users a grave disservice here.